Review My Emails

Gmail & Yahoo Bulk Sender Compliance Checklist

12 steps to stay out of the spam folder (and stay there)

Gmail and Yahoo started enforcing stricter sender rules in February 2024. That was over two years ago. If you haven't checked your compliance since then, you're likely already being penalized. The error messages won't tell you that's why.

These rules aren't suggestions. Fail them and your emails get silently routed to spam, throttled, or rejected outright. The worst part: you'll think it's a content problem when it's actually a plumbing problem.

Who needs this checklist?

You're a bulk sender if any single domain you own has sent (or will ever send) 5,000+ messages within a 24-hour window to Gmail, Yahoo, or Microsoft (Outlook, Hotmail, Live) addresses. This is measured at the domain level. Not per inbox, not per subdomain, not per campaign. It's your total volume across the whole domain in any given day.

That means if you sent one big launch campaign last year that pushed you over 5,000 to Gmail addresses for one day, you're a bulk sender. You don't have to be sending 5,000 a day every day. You only have to have crossed it once. The classification stays with the domain, even if you only send 200/day going forward.

You still need steps 1-5 even if your domain has never crossed 5,000. The authentication requirements apply to every sender. The stricter rules (one-click unsubscribe, spam rate caps, complaint monitoring) are what kick in at bulk-sender classification.

This checklist maps each requirement to something you can check in the next 30 minutes. Not theory. Actions.

Run the automatic check on your domain

Enter your email and domain. We'll check SPF, DMARC, DNS, and more in seconds. Your results are saved so you can come back.

Before You Start: Map Every Domain and Subdomain

Most businesses don't send email from just one domain. You run Steps 1-12 for each domain and subdomain that sends email. Before you start checking boxes, make a list.

What to do: Write down every domain and subdomain your organization uses for email. Including the ones you forgot about.

Common ones people forget:

  • Your main domain (example.com): marketing plus transactional
  • Subdomains for different mail streams (mail.example.com, news.example.com)
  • A separate domain for cold outreach or sales (examplehq.com)
  • Legacy domains you kept after a rebrand
  • Domains that don't send email but could be spoofed
  • Internal tools or SaaS apps sending as a subdomain

Why non-sending domains matter: If you own examplebrand.com but never send email from it, you still need a DMARC record. Otherwise anyone can spoof it. Publishing v=DMARC1; p=reject on domains you don't use for email tells mailbox providers "reject everything claiming to be from this domain." That's free protection.

Gotcha: Subdomains don't automatically inherit the parent domain's DMARC policy unless you set sp= (subdomain policy) in the parent record. SPF and DKIM records are never inherited. Each subdomain needs its own.
Step 1

Publish an SPF Record

What to do: Add a TXT record at your domain that lists every server allowed to send email on your behalf.

How to check: SPF Checker. Enter your domain. You should see a valid record that includes your ESP.

Gotcha: SPF only covers the envelope sender (Return-Path), not your visible From: address. This trips people up when they think SPF alone means they're authenticated. It doesn't. Not without alignment (Step 5).
Step 2

Stay Under 10 DNS Lookups

What to do: Count the DNS lookups in your SPF record. Every include:, a:, mx:, and redirect= counts as one lookup. You get 10 total. Go over and your entire SPF record fails silently.

How to check: SPF Checker shows your lookup count.

Gotcha: Lookups count recursively. If your record says include:spf.esp.com and that record itself has 4 include: statements inside it, all 5 count toward your 10. Re-check the count every time you add a sending service.
Step 3

Enable DKIM Signing

What to do: Configure your sending service to sign outgoing emails with DKIM. This adds a cryptographic signature to every message that proves it wasn't tampered with in transit.

How to check: DKIM Checker. You'll need your domain and the DKIM selector (your ESP provides this).

Gotcha: Some ESPs sign emails with their own domain by default, not yours. This means DKIM passes but doesn't align with your From: domain, and that matters for DMARC (Step 4). Check that the d= value in the DKIM signature matches your domain.
Step 4

Publish a DMARC Record

What to do: Add a TXT record at _dmarc.yourdomain.com with at minimum: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

How to check: DMARC Parser. Enter your domain.

Important: p=none with a working rua= parser is a legitimate starting point. p=none with no rua= (or a rua= going to an unmonitored inbox) is decorative DNS.
Gotcha: Publishing p=none and forgetting about it is the most common mistake. Gmail and Yahoo require DMARC to exist, but p=none only monitors. It doesn't protect you from spoofing.
Step 5

Verify SPF or DKIM Alignment

What to do: Either SPF or DKIM (or both) must not only pass but also align with your From: domain.

How to check: Send yourself a test email, then run the headers through Email Header Analyzer. Look for dmarc=pass.

Gotcha: This is where most multi-ESP setups fail. You can have perfect SPF and perfect DKIM, but if neither one aligns with your From: header, DMARC fails.
Step 6

Set Up Forward and Reverse DNS

What to do: Your sending IPs need valid forward DNS (A record) and reverse DNS (PTR record), and they need to match each other.

How to check: MX Lookup for your domain to find sending IPs, then verify PTR records.

Gotcha: If you're on your ESP's shared IP pool, they handle this. If you're on a dedicated IP, it's on you. Shared IP senders: skip to Step 7.
Step 7

Implement One-Click Unsubscribe (5,000+ Senders)

What to do: All marketing emails must include RFC 8058 one-click unsubscribe headers: List-Unsubscribe (HTTPS URL) and List-Unsubscribe-Post: List-Unsubscribe=One-Click.

How to check: Send yourself a test marketing email. View full headers. Both headers must be present.

Gotcha: Having a "mailto:" unsubscribe link is not enough anymore. Gmail and Yahoo specifically require the RFC 8058 List-Unsubscribe-Post header.
Step 8

Keep Spam Complaints Below 0.10% (5,000+ Senders)

What to do: Treat 0.10% as your operational target. 0.30% is the cliff.

How to check:

Gotcha: Most senders only check Gmail Postmaster Tools. That leaves them blind to half their complaint data.
Step 9

Stop Using Free Email Addresses for Sending

What to do: Your From: address must be on a domain you control, not gmail.com, yahoo.com, or any free provider.

Gotcha: This catches small businesses who send marketing email from mybusiness@gmail.com. You need your own domain.
Step 10

Ensure Clean Message Formatting and Headers

What to do: Emails must follow RFC 5322. No header manipulation, no deceptive From: addresses, no malformed headers.

How to check: Email Header Analyzer.

Gotcha: If you're using a major ESP, they handle most formatting. But custom infrastructure needs careful header checking.
Step 11

Separate Transactional and Marketing Streams

What to do: Use separate subdomains or IPs for transactional email and marketing email.

Gotcha: This isn't an explicit Gmail/Yahoo requirement. But it's how you survive the spam rate threshold. If your marketing gets flagged, you don't want your password reset emails going to spam too.
Step 12

Move From p=none to Enforcement

What to do: p=none was always a starting line. Real DMARC means p=quarantine or p=reject.

Gotcha: Moving to p=reject too fast will block legitimate emails you forgot about. The safe path: p=none (monitor 2-4 weeks), then p=quarantine with pct=10, then gradually increase.

How Do You Score?

Score 12/12: Fully compliant

12/12

You're fully compliant. Now maintain it. Re-check quarterly, especially after adding new sending services.

Score 9-11: Almost there

9-11

Almost there. The gaps are probably Step 2 (SPF lookups), Step 8 (not monitoring spam rate), or Step 12 (still at p=none).

Score 5-8: Basics in place

5-8

You have the basics but you're exposed. Gmail and Yahoo are probably already throttling some of your mail.

Score under 5: Critical

Under 5

You're likely seeing deliverability problems. Start with Steps 1, 3, and 4. Authentication first, everything else follows.

ESP Quick-Reference

RequirementYour ESP usually handlesYou must configure yourself
SPFThey provide the include: valueYou add it to your DNS TXT record
DKIMThey generate the key pairYou publish the DNS record
DMARCNothingYou create and publish the entire record
One-click unsubscribeHeader generation + POST handlingVerify it's turned on
Spam rate monitoringSome in-app complaint metricsSet up Postmaster Tools, Yahoo CFL, SNDS/JMRP
Reverse DNSYes, for shared IPsOnly if you use a dedicated IP
Stream separationSome offer subdomain routingYou decide the architecture + set up DNS

What Changed and When

DateWhat happened
Feb 2024Gmail and Yahoo begin enforcing authentication for all senders
Apr 2024Gmail starts rejecting non-compliant bulk mail
Jun 2024One-click unsubscribe enforcement for 5,000+ senders
Sep 2024Enforcement fully active
Apr 2025Microsoft announces identical requirements
May 2025Microsoft begins enforcement
2025+Industry-wide adoption. The baseline expectation.

Stuck on a step? Need a human?

Email sos@reviewmyemails.com and we'll respond within 24 hours. Include your domain and the step you're working through.

Email SOS team